On September 15, 2020, the New York Attorney General’s Office (NYAG) announced a settlement with Dunkin’ Brands, Inc. (Dunkin) in connection with a September 2019 lawsuit brought by the NYAG against Dunkin for alleged failures to adequately respond to cyberattacks that impacted approximately 300,000 customers. The proposed settlement—which still must be approved by the court—requires Dunkin to, among other things, notify customers impacted by the attacks, maintain specific cybersecurity procedures to prevent future cyberattacks, and pay $650,000 in penalties.
In September 2019, the NYAG filed a lawsuit against Dunkin in New York County Supreme Court (The People of The State of New York et al. v. Dunkin’ Brands Inc., Index No. 451787/2019) alleging that Dunkin failed to take appropriate action in response to cyberattacks that targeted customers’ data.
According to the complaint, in 2015, Dunkin’s customer accounts were targeted in a series of online attacks, during which attackers gained access to “tens of thousands or customer accounts” and stole “[t]ens of thousands of dollars on customers’ store value cards.” Dunkin allegedly became aware of these attacks as early as May 2015, when a third-party app developer alerted Dunkin to the attackers’ attempts to access customer accounts and provided Dunkin’ with a list of over 19,000 customer accounts that had been accessed… The National Law Review
